Back to skill

Security audit

Cost Prediction

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local construction cost prediction helper, with no evidence of network access, credential use, persistence, or unrelated behavior.

Install only if you are comfortable granting local filesystem access for the datasets and model files you choose to use. Review the input CSV paths and model output locations before running it, and treat trained model files as local project artifacts. The publisher should update the manifest to mention Gradient Boosting or remove that example for clarity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The manifest description explicitly scopes the skill to three model families: Linear Regression, K-Nearest Neighbors, and Random Forest. The file additionally provides a full training example for Gradient Boosting, which expands the documented behavior beyond the manifest's stated model set.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.